Sync the release-next branch with master

.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+{
+  "name": "cert-manager Website Dev",
+  "image": "mcr.microsoft.com/devcontainers/javascript-node:24",
+
+  "postCreateCommand": "npm ci && npm install -g netlify-cli",
+
+  "forwardPorts": [3000],
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "yzhang.markdown-all-in-one"
+      ]
+    }
+  }
+}

.github/workflows/check.yaml

@@ -9,9 +9,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
         with:
-          node-version: 22
+          node-version: 24
           cache: npm
       - run: npm ci
       - run: npm run check

.github/workflows/make-self-upgrade.yaml

@@ -32,7 +32,7 @@ jobs:
           exit 1
 
       - name: Octo STS Token Exchange
-        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        uses: octo-sts/action@d6c70ad3b9ac85df6da6b9749014d7283987cfec # v1.0.3
         id: octo-sts
         with:
           scope: 'cert-manager/website'

.github/workflows/renovate.yaml

@@ -27,7 +27,7 @@ jobs:
           exit 1
 
       - name: Octo STS Token Exchange
-        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        uses: octo-sts/action@d6c70ad3b9ac85df6da6b9749014d7283987cfec # v1.0.3
         id: octo-sts
         with:
           scope: 'cert-manager/website'
@@ -50,7 +50,7 @@ jobs:
           go-version: ${{ steps.go-version.outputs.result }}
 
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@f8af9272cd94a4637c29f60dea8731afd3134473 # v43.0.12
+        uses: renovatebot/github-action@a3c115cd6676c8a5bc72f9715f108759e570daf5 # v43.0.19
         with:
           configurationFile: .github/renovate.json5
           token: ${{ steps.octo-sts.outputs.token }}

.spelling

@@ -586,6 +586,7 @@ v1.18.0
 v1.18.0.
 v1.19
 v1.19.0
+v1.19.1
 alpha.0
 v1.5
 v1.5.0

README.md

@@ -141,6 +141,23 @@ npm ci
 
 This command is similar to `npm install` but it ensures that you will have a clean install of all the dependencies.
 
+### Devcontainer (optional)
+
+The repository includes a ready-to-use **devcontainer** for VS Code Dev Containers or GitHub Codespaces.
+This provides a fully configured development environment with all required tools and dependencies,
+so you can start working on the website without installing anything on your local machine.
+
+**Usage:**
+
+1. Open the repository in VS Code.
+2. When prompted, select **"Reopen in Container"** (or run **Dev Containers: Reopen in Container** from the command palette).
+3. Once the container is built, use the integrated terminal to run:
+
+```bash
+./scripts/server     # start the local development server
+./scripts/verify     # run lint, link-check, spell-check, etc.
+```
+
 ### Development Server
 
 The best development environment uses the Netlify CLI to serve the site locally. The Netlify CLI server

components/docs/VersionSelect.jsx

@@ -23,6 +23,7 @@ export default function VersionSelect({
       return compareVersions(labelFromVersion(first), labelFromVersion(second))
     })
     .reverse()
+    .slice(0, 2) // Only show the last two releases in the dropdown list
 
   return (
     <div className="bg-gray-1 rounded-md border-2 border-gray-2/50">

content/docs/configuration/acme/http01/README.md

@@ -125,9 +125,10 @@ By default, type `NodePort` will be used when you don't set HTTP01 or when you s
 You may wish to change or add to the labels and annotations of solver pods.
 These can be configured under the `metadata` field under `podTemplate`.
 
-Similarly, you can set the `nodeSelector`, tolerations and affinity of solver
-pods by configuring under the `spec` field of the `podTemplate`. No other
-spec fields can be edited.
+Similarly, you can set the `nodeSelector`, `tolerations`, `affinity`,
+`priorityClassName`, `serviceAccountName`, `securityContext`, `imagePullSecrets`
+and `resources` of solver pods by configuring under the `spec` field of
+the `podTemplate`. No other spec fields can be edited.
 
 An example of how you could configure the template is as so:
 
@@ -152,12 +153,25 @@ spec:
             spec:
               nodeSelector:
                 bar: baz
+              resources:
+                requests:
+                  cpu: 20m
+                  memory: 32Mi
+                limits:
+                  cpu: 150m
+                  memory: 64Mi
 ```
 
 The added labels and annotations will merge on top of the cert-manager defaults,
 overriding entries with the same key.
 
-No other fields of the `podTemplate` exist.
+The resources configuration **overrides** the global defaults (configured via controller flags
+`--acme-http01-solver-resource-*`) for the specific Issuer, enabling granular resource management
+in multi-tenant or restricted policy scenarios.
+
+> Note that when only specifying resource limits, ensure they are greater than or equal to the
+> corresponding global resource requests configured via controller flags. Kubernetes will reject
+> pod creation if limits are lower than requests, causing challenge failures.
 
 ### `ingressTemplate`
 

content/docs/installation/helm.md

@@ -122,7 +122,7 @@ appVersion: "0.1.0"
 dependencies:
   - name: cert-manager
     version: [[VAR::cert_manager_latest_version]]
-    repository: https://charts.jetstack.io
+    repository: oci://quay.io/jetstack/charts
     alias: cert-manager
     condition: cert-manager.enabled
 ```

content/docs/manifest.json

@@ -36,26 +36,6 @@
               "title": "Upgrade 1.17 to 1.18",
               "path": "/docs/releases/upgrading/upgrading-1.17-1.18.md"
             },
-            {
-              "title": "1.17",
-              "path": "/docs/releases/release-notes/release-notes-1.17.md"
-            },
-            {
-              "title": "Upgrade 1.16 to 1.17",
-              "path": "/docs/releases/upgrading/upgrading-1.16-1.17.md"
-            },
-            {
-              "title": "1.16",
-              "path": "/docs/releases/release-notes/release-notes-1.16.md"
-            },
-            {
-              "title": "Upgrading from 1.12",
-              "path": "/docs/releases/upgrading/upgrading-1.12.md"
-            },
-            {
-              "title": "1.12",
-              "path": "/docs/releases/release-notes/release-notes-1.12.md"
-            },
             {
               "title": "Older releases",
               "routes": [
@@ -67,6 +47,18 @@
                   "title": "Migrating Deprecated API Resources",
                   "path": "/docs/releases/upgrading/remove-deprecated-apis.md"
                 },
+                {
+                  "title": "1.17",
+                  "path": "/docs/releases/release-notes/release-notes-1.17.md"
+                },
+                {
+                  "title": "Upgrade 1.16 to 1.17",
+                  "path": "/docs/releases/upgrading/upgrading-1.16-1.17.md"
+                },
+                {
+                  "title": "1.16",
+                  "path": "/docs/releases/release-notes/release-notes-1.16.md"
+                },
                 {
                   "title": "Upgrade 1.15 to 1.16",
                   "path": "/docs/releases/upgrading/upgrading-1.15-1.16.md"
@@ -91,6 +83,15 @@
                   "title": "1.13",
                   "path": "/docs/releases/release-notes/release-notes-1.13.md"
                 },
+                {
+                  "title": "Upgrading from 1.12",
+                  "path": "/docs/releases/upgrading/upgrading-1.12.md"
+                },
+                {
+                  "title": "1.12",
+                  "path": "/docs/releases/release-notes/release-notes-1.12.md"
+                },
+
                 {
                   "title": "Upgrade 1.11 to 1.12",
                   "path": "/docs/releases/upgrading/upgrading-1.11-1.12.md"

content/docs/releases/release-notes/release-notes-1.18.md

@@ -43,7 +43,7 @@ You will see errors like this in the cert-manager controller logs:
 
 > Error presenting challenge: admission webhook `validate.nginx.ingress.kubernetes.io` denied the request: ingress contains invalid paths: path `/.well-known/acme-challenge/oTw4h9_WsobTRn5COTSyaiAx3aWn0M7_aYisoz1gXQw` cannot be used with `pathType` Exact
 
-If you use `ingress-nginx`, choose **one** of the following two options:
+If you use `ingress-nginx`, choose **one** of the following three options:
 
 #### Option 1. Disable the `ACMEHTTP01IngressPathTypeExact` feature in cert-manager
 
@@ -202,6 +202,27 @@ And finally, thanks to the cert-manager steering committee for their feedback in
 - [@TrilokGeer](https://github.com/TrilokGeer)
 
 
+## `v1.18.3`
+
+We fixed a bug which caused certificates to be re-issued unexpectedly, if the
+`issuerRef` kind or group was changed to one of the "runtime" default values.
+We increased the size limit when parsing PEM certificate chains to handle leaf
+certificates with large numbers of DNS named or other identities.
+We upgraded Go to `1.24.9` to fix various non-critical security vulnerabilities.
+
+Changes since `v1.18.2`:
+
+### Bug or Regression
+
+- BUGFIX: in case kind or group in the `issuerRef` of a Certificate was omitted, upgrading to `1.19.x` incorrectly caused the certificate to be renewed ([`#8174`](https://github.com/cert-manager/cert-manager/pull/8174), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+- Bump Go to `1.24.9`. Fixes the following vulnerabilities: `CVE-2025-61724`, `CVE-2025-58187`, `CVE-2025-47912`, `CVE-2025-58183`, `CVE-2025-61723`, `CVE-2025-58186`, `CVE-2025-58185`, `CVE-2025-58188`, `CVE-2025-61725` ([`#8176`](https://github.com/cert-manager/cert-manager/pull/8176), [`@wallrj-cyberark`](https://github.com/wallrj-cyberark))
+- Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities ([`#7966`](https://github.com/cert-manager/cert-manager/pull/7966), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+
+### Other (Cleanup or Flake)
+
+- Improve error messages when certificates, CRLs or private keys fail admission due to malformed or missing PEM data ([`#7964`](https://github.com/cert-manager/cert-manager/pull/7964), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+- Upgrades Go to `v1.24.6` ([`#7974`](https://github.com/cert-manager/cert-manager/pull/7974), [`@SgtCoDFish`](https://github.com/SgtCoDFish))
+
 ## `v1.18.2`
 
 We fixed a bug in the CSR's name constraints construction (only applies if you have enabled the `NameConstraints` feature gate).

content/docs/releases/release-notes/release-notes-1.19.md

@@ -9,6 +9,11 @@ This release focuses on expanding platform compatibility, improving deployment f
 
 Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.
 
+## Important Upgrade Notes
+
+When upgrading to cert-manager `1.19`, use the latest patch version: `[[VAR::cert_manager_latest_version]]`.
+There is a bug in `v1.19.0` which may cause certificates to be re-issued unnecessarily. We fixed this in `v1.19.1`.
+
 ## Major Themes
 
 ###  Deployment and Platform Compatibility
@@ -18,7 +23,7 @@ Be sure to review all new features and changes below, and read the full release
 
 ### ACME and Certificate Management
 - There is a new feature gate `ACMEHTTP01IngressPathTypeExact`, to allow `ingress-nginx` users to turn off the new default Ingress `PathType: Exact` setting. This is useful if you are using an old version of `ingress-nginx` which does not properly support `PathType: Exact`.
-- The Issuer and ClusterIssuer custom resources have new fields which allow you to configure resource requests and resource limits for ACME HTTP-01 solver pods. This allows teams to override the global `--acme-http01-solver-resource-*` flag values which are set by the platform administrator.
+- The Issuer and ClusterIssuer custom resources have new fields which allow you to configure resource requests and resource limits for ACME HTTP-01 solver pods. This allows teams to override the global `--acme-http01-solver-resource-*` flag values which are set by the platform administrator. Read [HTTP01 `podTemplate` Options](../../configuration/acme/http01/README.md#podtemplate) to learn more.
 - The ACME challenge authorization timeout has been increased to two minutes to reduce `error waiting for authorization` failures.
 - There is now stricter solver validation to reject configurations that specify multiple ingress selection options (e.g. `class`, `ingressClassName`, `name`).
 - There are DNS and API improvements. A new `protocol` field was added for the `rfc2136` DNS01 provider.
@@ -67,6 +72,21 @@ And finally, thanks to the cert-manager steering committee for their feedback in
 - [`@ssyno`](https://github.com/ssyno)
 {/* END steerers */}
 
+{/* BEGIN changelog v1.19.1 */}
+## `v1.19.1`
+
+We reverted the CRD-based API defaults for `Certificate.Spec.IssuerRef` and `CertificateRequest.Spec.IssuerRef` after they were found to cause unexpected certificate renewals after upgrading to 1.19.0. We will try re-introducing these API defaults in cert-manager `1.20`.
+We fixed a bug that caused certificates to be re-issued unexpectedly if the `issuerRef` kind or group was changed to one of the "runtime" default values.
+We upgraded Go to `1.25.3` to address the following security vulnerabilities: `CVE-2025-61724`, `CVE-2025-58187`, `CVE-2025-47912`, `CVE-2025-58183`, `CVE-2025-61723`, `CVE-2025-58186`, `CVE-2025-58185`, `CVE-2025-58188`, and `CVE-2025-61725`.
+
+Changes since `v1.19.0`:
+
+### Bug or Regression
+
+- BUGFIX: in case kind or group in the `issuerRef` of a Certificate was omitted, upgrading to `1.19.x` incorrectly caused the certificate to be renewed ([`#8175`](https://github.com/cert-manager/cert-manager/pull/8175), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+- Bump Go to 1.25.3 to fix a backwards incompatible change to the validation of DNS names in X.509 SAN fields which prevented the use of DNS names with a trailing dot ([`#8177`](https://github.com/cert-manager/cert-manager/pull/8177), [`@wallrj-cyberark`](https://github.com/wallrj-cyberark))
+- Revert API defaults for issuer reference kind and group introduced in `1.19.0` ([`#8178`](https://github.com/cert-manager/cert-manager/pull/8178), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+{/* END changelog v1.19.1 */}
 {/* BEGIN changelog v1.19.0 */}
 ## `v1.19.0`
 

content/docs/releases/upgrading/upgrading-1.18-1.19.md

@@ -5,6 +5,12 @@ description: 'cert-manager installation: Upgrading v1.18 to v1.19'
 
 Before upgrading cert-manager from 1.18 to 1.19, please read the following important notes about breaking changes:
 
+## Use the latest patch version: `[[VAR::cert_manager_latest_version]]`
+
+When upgrading to cert-manager `1.19`, use the latest patch version: `[[VAR::cert_manager_latest_version]]`.
+Do not install `v1.19.0`, because it has a bug which may cause certificates to be re-issued unnecessarily.
+We fixed the bug in `v1.19.1`.
+
 ## Potentially Breaking: ACME metrics label changes
 
 A high cardinality label, called `path`, was removed from the `certmanager_acme_client_request_count` and `certmanager_acme_client_request_duration_seconds` metrics.

content/docs/usage/certificate.md

@@ -401,7 +401,7 @@ If your application only loads the private key and signed certificate once
 at start up, the new certificate won't immediately be served by your
 application, and you will want to either manually restart your pod with
 `kubectl rollout restart`, or automate the action by running
-[wave](https://github.com/wave-k8s/wave). Wave is a Secret controller that
+[Reloader](https://docs.stakater.com/reloader/). Reloader is a Secret controller that
 makes sure deployments get restarted whenever a mounted Secret changes.
 
 <div className="alert">

content/docs/variables.json

@@ -1,3 +1,3 @@
 {
-  "cert_manager_latest_version": "v1.19.0"
+  "cert_manager_latest_version": "v1.19.1"
 }

content/v1.18-docs/README.md

@@ -0,0 +1,26 @@
+---
+title: cert-manager
+description: |
+    cert-manager creates TLS certificates for workloads in your Kubernetes or OpenShift cluster and renews the certificates before they expire.
+---
+
+cert-manager creates TLS certificates for workloads in your Kubernetes or OpenShift cluster
+and renews the certificates before they expire.
+
+cert-manager can obtain certificates from a [variety of certificate authorities](configuration/issuers.md), including:
+[Let's Encrypt](configuration/acme/README.md), [HashiCorp Vault](configuration/vault.md),
+[CyberArk Certificate Manager](configuration/venafi.md) and [private PKI](configuration/ca.md).
+
+With cert-manager's [Certificate resource](usage/certificate.md), the private key and certificate are stored in a Kubernetes Secret
+which is mounted by an application Pod or used by an Ingress controller.
+With [csi-driver](usage/csi-driver/README.md), [csi-driver-spiffe](usage/csi-driver-spiffe/README.md), or [istio-csr](usage/istio-csr/README.md) ,
+the private key is generated on-demand, before the application starts up;
+the private key never leaves the node and it is not stored in a Kubernetes Secret.
+
+![High level overview diagram explaining cert-manager architecture](/images/high-level-overview.svg)
+
+This website provides the full technical documentation for the project, and can be
+used as a reference; if you feel that there's anything missing, please let us know
+or [raise a PR](https://github.com/cert-manager/website/pulls) to add it.
+
+<img referrerPolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=e661e870-758f-4c78-ac4a-0bad64a05471" />

content/v1.18-docs/cli/README.md

@@ -0,0 +1,7 @@
+---
+title: CLI reference
+description: cert-manager CLI documentation
+---
+
+View the `--help` output from our various CLI tools, including those which run in containers in your cluster.
+This might help if you need to tweak an option or if you need to check which values are valid!

content/v1.18-docs/cli/acmesolver.md

@@ -0,0 +1,17 @@
+---
+title: acmesolver CLI reference
+description: "cert-manager acmesolver CLI documentation"
+---
+```
+HTTP server used to solve ACME challenges.
+
+Usage:
+  acmesolver [flags]
+
+Flags:
+      --domain string     the domain name to verify
+  -h, --help              help for acmesolver
+      --key string        the challenge key to respond with
+      --listen-port int   the port number to listen on for connections (default 8089)
+      --token string      the challenge token to verify against
+```